ReflectDocs
Operate

Admin panel walkthrough

A tour of the operator console: apps, partners, tracking links, postbacks, plans & billing, and the super-admin views.

Sign in

Reflect uses passwordless email magic links. Go to /login, enter your work email, click the link in your inbox.

Tenant pages

Dashboard

KPIs for the last 30 days: installs, attributed installs (paid vs. organic), revenue (USD), top partners. The first thing you check after pushing a new build.

Apps

Register one row per (app × platform). Each row gets:

  • AppKey — public-ish identifier, paste into ReflectConfig.AppKey.
  • SigningSecret — HMAC secret. Rotate any time; rotate before public exposure.
  • Bundle id — must match your build settings.
  • Store URL — destination for tracking-link redirects.
  • Live toggle — when false, organic ingestion still works but tracking-link redirects fall back to a maintenance page (use during pre-launch testing).

Partners

Each ad network you spend money on gets a partner row. Important fields:

  • Slug — used in postback macros ({partner_slug}).
  • Require referer — drop clicks with no Referer header (catches bot traffic).
  • Rate limit /min — clicks/IP/min ceiling.
  • Active — can be auto-paused by the quality scorer.

Tracking links

Generate one per (app × partner × campaign). Reflect mints an 8-char id; the redirect URL is https://your.worker/l/<id>. Configure:

  • Campaign name, sub1–sub5 — passed through to attribution + postbacks.
  • Allowed countries — block clicks from outside.
  • Mobile only — drop desktop clicks.
  • Honeypot — invisible-to-humans link; any hit auto-blocks the source IP for 7 days.
  • Deep link path — appended to the install referrer / AdServices payload so the SDK can route on first launch (see Deep linking).
  • Attribution override — per-link click-to-install window in hours (default 24h).

Postback log

Every outbound HTTP fire — partner, event, status, http code, duration, request body, response body, error. The forensic record when a partner says "we’re not getting your postbacks".

Postback templates

Per (partner × event), define the URL + method + body to fire. Macros: {event_id}, {install_uuid}, {revenue}, {currency}, {partner_slug}, {campaign}, {sub1}{sub5}, {country}, etc.

Dedupe windows + allow-duplicates flags inherited from events_taxonomy; override per template if needed.

Reports

  • Installs — by app, partner, country, day. CSV export.
  • Revenue — USD-converted via fx_rates. CSV export.
  • Attribution — installs broken down by attribution_type (deterministic / fingerprint / organic) + fraud flags.

Fraud

Rejected clicks by reason (UA bot, country block, ASN datacenter, rate limit, honeypot, etc.). Auto-blocked IP /24 subnets with one-click unblock.

Billing & usage

Current plan, live usage meters (events / attributions / postbacks / clicks), upgrade to a paid tier via PayPal, invoice history. Cancel anytime — plan stays active to the end of the period you’ve paid for.

Settings

Your CompanyKey, contact email, timezone, team members.

Super-admin pages (operator only)

  • Overview — cross-tenant KPIs.
  • Resource usage — load + cost + margin per tenant; identify upgrade candidates and at-cap tenants.
  • Companies — every tenant; drill into one for usage meters, plan override, invoices, app-level breakdown, activity feed.
  • Plans & pricing — pricing tier CRUD; PayPal plan IDs per tier.
  • Invite requests + Invites — beta intake.

Audit log

Every mutation through the admin panel is logged with actor email + IP + timestamp + diff. Surfaced in super-admin per-tenant Activity feed.

← Previous
Debug overlay
Next →
REST API